Malware Analysis Report

2024-09-23 02:51

Sample ID 240712-dxcwgaygmc
Target XClient.exe
SHA256 a43ffa9b770fee9756cb922845498e312a0c46db2bd050808c437f2015901a7c
Tags
xworm stormkitty execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a43ffa9b770fee9756cb922845498e312a0c46db2bd050808c437f2015901a7c

Threat Level: Known bad

The file XClient.exe was found to be: Known bad.

Malicious Activity Summary

xworm stormkitty execution persistence rat spyware stealer trojan

Xworm

StormKitty

Xworm family

StormKitty payload

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-12 03:22

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 03:22

Reported

2024-07-12 03:25

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GtagCosmeticGiver.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GtagCosmeticGiver.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GtagCosmeticGiver = "C:\\Users\\Admin\\AppData\\Roaming\\GtagCosmeticGiver.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 1576 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 2200 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GtagCosmeticGiver.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GtagCosmeticGiver" /tr "C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe"

C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe

C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SavePublish.M2TS"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SavePublish.M2TS"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33d9751f-61f3-45a4-a862-bb6d9d781816} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 25789 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ee5af6-abf0-49bd-849f-d543d0f9656c} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3284 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2956 -prefsLen 25930 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad4d01f2-94cf-4302-8ed4-aea216e4014b} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3772 -childID 2 -isForBrowser -prefsHandle 3784 -prefMapHandle 3832 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3769bf2b-5f21-4002-b1d2-c528c94ea00e} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4460 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4488 -prefMapHandle 4484 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c10fcce-2ac7-424d-87a3-93d6d1324ab3} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c81a411c-b6b6-47f0-9881-07a89743c01b} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5720 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44fd90b4-7520-4e05-982c-4b223cc8f417} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5940 -prefMapHandle 5948 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15a70e42-60eb-4ac7-bd6d-ac98ce43b7e7} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab

C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe

C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe

C:\Users\Admin\AppData\Local\Temp\bbplsq.exe

"C:\Users\Admin\AppData\Local\Temp\bbplsq.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x408 0x520

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 t-protecting.gl.at.ply.gg udp
US 147.185.221.20:24735 t-protecting.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 147.185.221.20:24735 t-protecting.gl.at.ply.gg tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 147.185.221.20:24735 t-protecting.gl.at.ply.gg tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 147.185.221.20:24735 t-protecting.gl.at.ply.gg tcp
US 147.185.221.20:24735 t-protecting.gl.at.ply.gg tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
N/A 127.0.0.1:61269 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 44.242.121.21:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 21.121.242.44.in-addr.arpa udp
N/A 127.0.0.1:61277 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/1576-0-0x00007FFCB9F53000-0x00007FFCB9F55000-memory.dmp

memory/1576-1-0x0000000000790000-0x00000000007A0000-memory.dmp

memory/1576-2-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp

memory/548-3-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp

memory/548-4-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hjlxof14.abo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/548-5-0x000002297F640000-0x000002297F662000-memory.dmp

memory/548-15-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp

memory/548-18-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 63aec5618613b4be6bd15b82345a971e
SHA1 cf3df18b2ed2b082a513dd53e55afb720cefe40e
SHA256 f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721
SHA512 a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4165c906a376e655973cef247b5128f1
SHA1 c6299b6ab8b2db841900de376e9c4d676d61131e
SHA256 fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4
SHA512 15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a

memory/1576-57-0x000000001DDC0000-0x000000001DEE0000-memory.dmp

memory/1576-96-0x00007FFCB9F53000-0x00007FFCB9F55000-memory.dmp

memory/1576-97-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp

memory/1576-98-0x0000000000F60000-0x0000000000F6E000-memory.dmp

memory/1576-99-0x000000001B480000-0x000000001B488000-memory.dmp

memory/1576-100-0x000000001C4D0000-0x000000001C4DC000-memory.dmp

memory/1576-101-0x000000001E4E0000-0x000000001E830000-memory.dmp

C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe

MD5 40fd7f5d00604ab1cc3abf3125acce25
SHA1 7c5e873cdc6cc1441f35e3eb5359b90adf2b6312
SHA256 a43ffa9b770fee9756cb922845498e312a0c46db2bd050808c437f2015901a7c
SHA512 494b8492dedc35d27c42b5131c076c792ebdcf72514a540c9905edb4796e92ee8dc94f43dd8b8968c83128d0c6d2f31e7f3ee9ece6950935db165c08a8b1c4dc

memory/740-106-0x00007FF77D020000-0x00007FF77D118000-memory.dmp

memory/740-107-0x00007FFCC9A30000-0x00007FFCC9A64000-memory.dmp

memory/740-108-0x00007FFCB18F0000-0x00007FFCB1BA6000-memory.dmp

memory/740-116-0x00007FFCCD340000-0x00007FFCCD351000-memory.dmp

memory/740-115-0x00007FFCCD3F0000-0x00007FFCCD407000-memory.dmp

memory/740-114-0x00007FFCCD4B0000-0x00007FFCCD4C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\1cb04339-5421-40c0-a1ed-1dcb6bd908ef

MD5 5e31017e8e9e2f8afbf7b9624e9b01ac
SHA1 a528a935e7546cefc5258afd4dd6001a1b715441
SHA256 7c3f2acc3b4dc3811e054cb469127ac736427951cf1f7f9cb9b0e9234b3176da
SHA512 65b57dd14d7343c3ee3ac50689919255712a3ad4ec85dfaefd9eced743f0c5cec9c089741b5b3e45eec82bb8a051ffaf816262351b0861060cb7fe7bbb6d540e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\1507d9a3-c0d2-4af1-9c68-d2586fa35b64

MD5 761acf532df1ab6f0747ee606fcd454c
SHA1 6cbbaa8778b592b8b89bfd56a3c0d2bfd50501d7
SHA256 be3a52f2b2b0c85913ff5ddee0706a56cfb06f7b518d7bfb464f1c76d9726c4a
SHA512 6310b63719489e947aacca18266dde8ccc28e8eb9f87373e98b5a5d5773cdec2cec5790971465657a36d6899b55f0e31d80e3d876f05660b4af6eeb07e726acb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp

MD5 37bba839c8b30d381eb797a46497e9ea
SHA1 b27d636af1557c706e8055ea395b86dcb431cd21
SHA256 fecfac36109a7a463571bb82edae75885d2f1c83ee754c652b80239511c4c5af
SHA512 1c36511600d3549641de74c5620bb8f731aef89e668a7b83e18223d90c9b44aaf0439d19c6669a4f84253cf3cdbc7541ae57548cbdaf9b42abe63d9ea1bfc2de

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GtagCosmeticGiver.lnk

MD5 714933964af9d9c57ab098ea2f766f67
SHA1 346594e15d730728754004067ef9253793707f3f
SHA256 32c935a9bcdc8ef95a8dd943f9834c70b9d519891008a9c5fa81ecd942a9b242
SHA512 14a9aedaabeed2ee45ec22d9870829b11ce99402619ec4b07542f21c54ede79c2a61643debdaa97a44458ad2f72d8d3c218a51b3e6114306b86a0bff6c697f2e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\activity-stream.discovery_stream.json.tmp

MD5 f058c0bfd3f016ff04af0fe62c279cad
SHA1 697a36f5059b623f236d94d705d8821bbf447720
SHA256 cd0c06c298eb0076ddc77d0292b29432bafffd09a23d14f1b15e992844a956ed
SHA512 f11bb8cd1e81c1b5f943bbc4e25615f5c7c2a33f288ed88971b3b8ea270690c254ef04766a862a4c62216e7f457d99bfc4d83592d0e65b52dda13f4d04a979d1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp

MD5 dd95d66db3410293e26f2d5733f0fa8e
SHA1 fe9860b7bbd5fb28069229efb716219f65ae51e9
SHA256 4ba4ca0e7a1864600b2cf0038878510845e9485af93c4367481b7dcd15c2ffc6
SHA512 3827f00819754e40e945b632c0a410b22539bfdf0c91c7a62e2d35623a65029d3674b575bab504f0f9ee599d2042df853b53475dd4fd72d4823b0745f98ec28b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp

MD5 c2dabad1a62b63d9dbc902e9f6a573a0
SHA1 371609f590c447285b401aec0c3c1744461b2b50
SHA256 408c5af50a9cc4a705fcc0293283f27cb8b1571e4a578f15279b08478a92a140
SHA512 6bb0285d8f318e7e0e15325ea77a8efd8821e5e789de370c5d8f06dae2d1e7851955b4f98085e77dcc1841dffd652d2978a2c0b235e61d796296240845f47ab5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin

MD5 8e12a86a8f85c892c9c5a7eb15671019
SHA1 930dda8e9ea2ce7e841e6e1b21481067e0dc04f2
SHA256 99f77159c3858c263c3665e1e8b1461759f3fe0674e1c1e4f8477cd780296f7b
SHA512 b1c6035a2f7d95e86cbcc3319d6c69b7fc27b1849064fe6235e4d253bbe97003ca7b4778599b45f2a5e2a330cfa2359f99f33c13f618a6b1595a16c5d44513a3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs.js

MD5 b759a48a1f709035e74528cc6f47c5fb
SHA1 9c2a1c8bc069157d72ea76daf944a9b0c81b85f7
SHA256 14101a450a352e958a953da6579fa139d1171ccaa4c03dd4274970519d3fd296
SHA512 4b1647a2a27ccc4202fdd54ca856be5e484fb8191ae8aea13b095a8b4efbffee556985b5f15b97ac9fa9a7e8ade41351e0328546c073ae4bf900de3a071f4246

memory/452-414-0x00007FF77D020000-0x00007FF77D118000-memory.dmp

memory/452-423-0x00007FFCC8EE0000-0x00007FFCC8EF1000-memory.dmp

memory/452-416-0x00007FFCB18F0000-0x00007FFCB1BA6000-memory.dmp

memory/452-422-0x00007FFCC8F00000-0x00007FFCC8F1D000-memory.dmp

memory/452-424-0x00007FFCB2490000-0x00007FFCB269B000-memory.dmp

memory/452-421-0x00007FFCC9340000-0x00007FFCC9351000-memory.dmp

memory/452-420-0x00007FFCCA050000-0x00007FFCCA067000-memory.dmp

memory/452-419-0x00007FFCCD340000-0x00007FFCCD351000-memory.dmp

memory/452-418-0x00007FFCCD3F0000-0x00007FFCCD407000-memory.dmp

memory/452-417-0x00007FFCCD4B0000-0x00007FFCCD4C8000-memory.dmp

memory/452-415-0x00007FFCC9A30000-0x00007FFCC9A64000-memory.dmp

memory/452-432-0x00007FFCB2AD0000-0x00007FFCB2B2C000-memory.dmp

memory/452-431-0x00007FFCBAFA0000-0x00007FFCBAFB1000-memory.dmp

memory/452-430-0x00007FFCC0210000-0x00007FFCC0221000-memory.dmp

memory/452-429-0x00007FFCC08D0000-0x00007FFCC08E1000-memory.dmp

memory/452-428-0x00007FFCC8110000-0x00007FFCC8128000-memory.dmp

memory/452-427-0x00007FFCC5650000-0x00007FFCC5671000-memory.dmp

memory/452-426-0x00007FFCB6C90000-0x00007FFCB6CD1000-memory.dmp

memory/452-425-0x00007FFCB00E0000-0x00007FFCB1190000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs-1.js

MD5 f6a766e4c70b2b22418b7ce43b01b10d
SHA1 dc0ff96917a1755f66204447ebe57aa471d4f1e8
SHA256 01d56a4fb96afce34ad83f1b2d799b59fb106ea2909e8704889fb77ef7106df4
SHA512 ac176cc9d0491b3cf0f535569d77ecd411e295b97414401e38c0b8fa4dc043ecfb3247210b5ec9c2c9d70b9baff647820338103e81a5ae4b90fd7a6dbaae4bc7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\sessionCheckpoints.json

MD5 948a7403e323297c6bb8a5c791b42866
SHA1 88a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA256 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA512 17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

memory/452-527-0x00007FFCB00E0000-0x00007FFCB1190000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GtagCosmeticGiver.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Temp\bbplsq.exe

MD5 bd65d387482def1fe00b50406f731763
SHA1 d06a2ba2e29228f443f97d1dd3a8da5dd7df5903
SHA256 1ab7375550516d7445c47fd9b551ed864f227401a14ff3f1ff0d70caca3bd997
SHA512 351ecd109c4d49bc822e8ade73a9516c4a531ebcda63546c155e677dcff19708068dc588b2fcf30cad086238e8b206fc5f349d37dda02d3c3a8d9b570d92e4d9